Tag Info

You have a lot going on there..... My best answer to this is to explain simply how I have seen session logging done in the past. Hopefully that will give you some options to explore.
As you have already mentioned, pulling the bash history from
the user accounts. This only works after the session has ended. Not
really the best option but it's easy and ...

Change the name of the executable (note that that also affects PAM configuration).
ln /path/to/sshd /path/to/sshd-whatever
Start as /path/to/sshd-whatever. And define PAM configuration in /etc/pam.d/sshd-whatever. Log entries will show as sshd-whatever instead of sshd.

This is done via templates, like this:
$template HostDynFile,"/var/log/HOSTS/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%syslogfacility-text%_%HOSTNAME%_%$YEAR%_%$MONTH%_%$DAY%"
This template can then be used when defining an output selector line, e.g.:
*.* -?HostDynFile
More info is available here: Building A Central Loghost On CentOS And RHEL 5 With rsyslog

How can I extend this excluding rule to filter only those lines that contain: "DST=192.168.202.255" AND uses "udp" AND "PFILTER-DROP"?
Use something like:
filter demo_filter { program("PFILTER-DROP") and match("DST=192.168.202.255") and match("PROTO=UDP"); };

You can use a filter to match the program sending the message, in this case PFILTER-DROP, like this:
filter f_pfilterdrop {
program("PFILTER-DROP");
};
Then you include this filter in the log statement that writes to this log.

That functionality was once reserved to the commercial variant of nginx, but has since been included in the OS version. You can use the nginx module ngx_http_log_module for that.
Here's a link to the module documentation, explaining the setup and configuration:
http://nginx.org/en/docs/http/ngx_http_log_module.html
Usage
Syntax:
access_log path [format ...

This is solution which takes care of the first question, as well as introduces the use of auditd interactively, outside of the pam_tty module solution provided in the other answer.
bash
First, as explained by a contributor, there might be syntax issues with the original setup and there is a better way to do this using the $BASH_COMMAND variable:
The ...

Sounds like rsyslog queueing might do what you want. Messages can also be stored for transmission during off-peak hours.
Specifically, the following:
The "$QueueDequeueSlowdown" directive allows to specify how long (in microseconds) dequeueing should be delayed.

From the Documentation (my boldface):
Match a regular expression to the headers and the message itself (i.e., the values returned by the MSGHDR and MSG macros).
Match a regular expression to the text of the log message, excluding the headers (i.e., the value returned by the MSG macros).

Three notes:
you should use a current git snapshot instead of alpha1, as alpha1 crashes on start-up.
please ask on the syslog-ng mailing list, as there are more people to answer your question, including syslog-ng developers.
even current git needs a patch, see this thread on the mailing list: 3.4 on opensuse factory